PostgreSQL 18.3 Released Alongside Coordinated Five-Version Security Update

The PostgreSQL Global Development Group released PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22 on February 26, 2026, in a coordinated update that addresses multiple security vulnerabilities across all currently supported versions of the world's most advanced open-source relational database.

Security Fixes

The most critical fix addresses a high-severity SQL injection vulnerability in the pg_restore utility that could allow an attacker who controls a database backup file to execute arbitrary SQL commands during the restoration process. The vulnerability is particularly dangerous in automated backup-and-restore pipelines where backup files may come from less-trusted sources. Additional fixes address privilege escalation through certain extension functions and an information disclosure vulnerability in the query planner's error messages.

PostgreSQL 18.3 Improvements

Beyond security fixes, PostgreSQL 18.3 includes bug fixes for the new features introduced in PostgreSQL 18.0, including improvements to the native columnar storage engine, corrections to the parallel query optimizer for partitioned tables, and fixes for edge cases in the new incremental backup functionality. The release also addresses a regression in connection handling that could cause brief connection drops during autovacuum operations under high concurrency.

Upgrade Recommendations

The PostgreSQL team recommends that all users of supported versions apply the update as soon as possible, with particular urgency for installations that use pg_restore in automated pipelines. PostgreSQL 14 is in its final year of support, with end of life scheduled for November 2026. Organizations still running PostgreSQL 13 or earlier are on unsupported versions and should plan their upgrade to a supported release.